a blog by Sander Berkouwer

For its February 2015 Patch Tuesday on Tuesday February 10, Microsoft has released two security bulletin to address issues in Group Policy that would allow an attacker using a Man-in-the-middle (MitM) approach to bypass security policies, by forging packets sent by Domain Controllers.

The situation

In many organizations, Group Policies are used to centrally configure settings, printers, drivers and software.

These settings and preferences can be applied locally using gpedit.msc and secpol.msc. However, settings and preferences can also be set centrally using Active Directory on the site, domain and even granularly per Organizational Unit (OU). Tools used are gpmc.msc and, again, gpedit.msc. For non-domain-joined devices, the Security Configuration Manager (SCM) Solutions Accelerator and Offline Domain Join (ODJ) can be used to configure settings.

Responsible for applying security settings from both the local computer security policy and Group Policy objects on a device, is the Security Configuration Engine. It receives and applies the policy data in policy files and makes sure they get applied.

The issues

Multiple issues exist with Group Policy that can be used to cause undesired behavior:

MS15-011

First, an issue has been identified in the way how the Security Configuration Engine picks up Group Policy.

By default, the Security Configuration Engine on domain-joined devices automatically downloads security settings in updated Group Policy Objects (GPOs) from SYSVOL, which the scecli.dll part of the Security Configuration Engine discovers and accesses using the Universal Naming Convention (UNC) paths.

An attacker may spoof, tamper with, or redirect communications between the UNC provider and devices, and subsequently may be able to cause Group Policy to execute his or her programs or scripts. A common attack vector for this would be for an attacker to introduce a rogue Wi-Fi access point connected to the corporate wired network, optionally configured with the same SSID as the corporate Wi-Fi.

MS15-014

A second vulnerability exists whereby Group Policy could fail to retrieve valid security policy settings, because one or more Security Configuration Engine configuration files (gpttmpl.inf per Group Policy Object, configured with security settings) are corrupted or otherwise unreadable when they are interpreted by the scesrv.dll part of the Security Configuration Engine.

An attacker can achieve this by modifying the responses sent by Active Directory Domain Controllers with a Man-in-the-Middle (MitM) approach. The behavior of the Group Policy Security Configuration Engine, then, is to apply default, potentially less secure, group policy settings, instead of the domain-configured settings.

The solutions

MS15-011

Microsoft introduces UNC Hardened Access to address this vulnerability. This is a new Windows feature, that provides mitigations against Man-in-the-Middle attacks for any UNC paths that host executable programs, script files or files that control security policies and improves the protection and handling of data when Windows-based devices access UNC paths.

UNC Hardened Access is available as KB3000483. It is accompanied by KB30004375, which is installed transparently with KB3000483. It is rated as a critical update for all supported versions of Windows and Windows Server. An update is currently not available for Windows Server 2003. This lack of support means there is no way to ensure mutual authentication and Server Message Block (SMB) Signing are actually enforced when Windows Server 2003-based Domain Controllers are in use. (However, default settings on Windows Server 2003-based Domain Controllers are to require SMB Signing.) Additionally, domain-joined Windows Server 2003-installations can not be configured with UNC Hardened Access.

MS15-014

An update is available from Microsoft that address this vulnerability, by correcting how Group Policy settings are applied when a Group Policy Security Configuration Engine policy file is corrupted or otherwise unreadable.

This update is available as KB3004361 and is rated as an important update for all supported versions of Windows and Windows Server. An update is also available for Windows Server 2003.

Test both the update and the configuration in a test environment, to assess the risk and possible impact on your production environment and then, roll out this update to all devices within scope. After that, configure the additional Group Policy Settings.

MS15-014

Microsoft has not identified any mitigating factors or workarounds, so I urge you to install KB3004361 in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to all devices within the Active Directory environment.

After applying KB3004375, KB3031432, KB3000483, and KB3000483, there is no “Network Provider” section in the GPO settings (nor any UNC Hardened Access settings).

Is there some other step that I’m missing? I’m running Server 2012 (not R2)

fromDean February 13, 2015 at 3:02 AM

KB3000483 adds the feature to the Windows client and Windows Server installations within scope.

You’ll find the file networkprovider.admx (and its corresponding adml file in the folder and locale of your language, for instance ‘en-us’) on these systems. Copy these files to the same location on the Windows device you use to manage Group Policy, or place the files in the Group Policy Central Store on your Domain Controllers.

fromSander Berkouwer February 16, 2015 at 1:51 PM

What happens if a DC has the patch and gpo, but the client does not? Will it cause a failure to connect?

fromJ February 17, 2015 at 6:15 PM

KB3000483 needs to be installed on Windows client devices and Windows Server installations used to access shared folders through UNC paths. UNC Hardened Access settings govern the client settings (even when these clients are Windows Server installations) to access servers.

When you want RequireMutualAuthentication and RequireIntegrity and/or RequirePrivacy, then both the Windows client or Windows Server used to access Shared Folders via UNC Paths and the server hosting the Shared Folders need to be updated with KB3000483.

fromSander Berkouwer February 20, 2015 at 6:53 PM

I am curious as to the registry keys that are modified by these patches and what are the expected values. I am attempting to build a PowerShell script that will check a list of machines piped in from a file and have it validate the expected registry values are set correctly for the GPO and SMB version 1, 2, and 3.

fromDaniel Brewerton March 20, 2015 at 11:16 AM

Great post. The registry settings are here: HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsNetworkProviderHardenedPaths

fromJ Westerman April 23, 2015 at 6:15 PM

Will this GPO have an impact on production DFS Shares ? and other shares

fromMukund rao May 31, 2017 at 12:12 PM

Yes, depending on the settings you specify per share, you raise the security level of the share. Some older and/or poorly written applications may not support SMB signing and/or Kerberos-based mutual authentication. These applications will break.

fromSander Berkouwer June 2, 2017 at 6:39 AM

I was just trying to wrap my head around this and, according to the Microsoft document regarding this issue, they recommend NETLOGON and SYSVOL be protected with the hardening method.

My issue is how to effectively test. The only way I can think of is that it would have to be against an actual domain controller and a domain joined client.

fromTyson Navarre October 24, 2017 at 10:35 PM

Hi Tyson,

The only effective test would be with at least one Active Directory Domain Controller and each of the types of domain-joined clients (desktops, laptops, specials) in a separate test environment. You can create such an environment by restoring a backup of a Domain Controller to a virtual machine in a strictly separated networking environment. Veeam’s SureBackup and Microsoft’s Azure Site Recovery Services both offer the functionality to create an environment that fulfills the latter requirement.

Archives

Categories

The information on this website is provided for informational purposes only and the authors make no warranties, either express or implied. Information in these documents, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user.Active Directory, Microsoft, MS-DOS, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.